Death and passwords

I’m in my fifth year of tackling a major personal online project each year. 2012 was passwords, 2013 was document storage (no write-up; I standardized on Google Drive), 2014 was the family photo archive, and 2015 was getting my address book in order. This year, I’ve come up with an approach to ensuring a seamless hand-off of my online info when I die.

We’re all going to die. Only in the last year has this felt more real to me: two friends, one in his 30s, one in his 40s — both died unexpectedly last fall. While grieving for them and the families they left behind, it didn’t take long to start thinking about what would happen when it was my turn. Earlier this year, my wife and I interviewed a handful of estate lawyers, and updated our wills and set up a trust for our children. It’s not much, a simple foundation, really — but a catch-all clause about trustee rights in one of the docs our lawyer created caught my eye:

To Manage Digital Assets and Access. To access, control, modify, copy, transfer and delete all of our digital or virtual accounts and digital or virtual assets (such as music, pictures, account credits, virtual money, etc.); to access our financial accounts protected by web-based logins and passwords; to have access to our web-based accounts…

With regards to passwords, I’d fortunately invested in a password manager years ago. In addition, I enable 2-factor authentication wherever I can — this makes it much harder for anyone to gain access to my accounts. But as I worked through my plan to ensure that managing my digital assets and access would be easy, I realized that last bit — 2-factor authentication — was going to make things a bit more complicated.

Here’s what I did (and why).

Step 1: Get usernames and passwords in one place. I suppose you could store the passwords in a spreadsheet, or on paper. But the increased security of storing passwords in a secure repository, along with the added convenience of being able to easily recall the passwords in a browser or on a mobile device, means that using an app designed to store the passwords is the way to go. In addition, using either Dashlane or LastPass ensures you can take advantage of the next step, emergency sharing.

Step 2: Designate an emergency recipient in the password manager. Both LastPass and Dashlane have what I consider to be a critical feature: you can designate someone who can get access to your passwords in the event that you’re unavailable. This “emergency access” is a brilliant feature for spouses as well as executors: in the event that I’m incapacitated or dead, anyone I specify in LastPass can get access to every username and password I’ve stored in LastPass. You can specify a waiting period, or grant them immediate access.

Without this feature, ensuring that my executor had access to all usernames and passwords gets much harder: whatever list they have needs to be up to date as I create new passwords, accessible to them, and secure. A password manager is really the only way to go.

Step 3: Generate 2-factor authentication (2FA) backup codes. I reviewed the list of every site at TwoFactorAuth.org that supports 2FA. For sites where I hadn’t previously enabled 2FA, I turned it on. For every site where I had it on, I made a list of the method (SMS, token, app, etc.) — and this is the most important part — I generated new backup codes for each.

Let’s step back for a moment and talk about 2FA, because if you read the previous paragraph and thought it’s gibberish and you’ll just skip it, please don’t. This is important:

Imagine you have a username: “johnqpublic@gmail.com”. You also have a password: “!pAsSwOrD99”. For most sites, all you need to log in is a username and a password; if anyone other than you got ahold of those two pieces of info, they could log in as you. With 2FA, you add a third piece of info: a secret key, generated at the time you try to log in: without that third piece, you won’t get in. Some sites send a text message to your cell phone — a hacker who had your username and password but not your cell phone wouldn’t be able to log in. Other sites use other mechanisms, but the idea is the same.

I’ll admit, 2FA makes life a bit more difficult — it slows down the login process, and on the rare occasion that you don’t have your 2FA device (in the example above, your cell phone), it could make it impossible for you to log in. That’s where “backup codes” come in. Not all 2FA sites support this, but many do: if you don’t have your 2FA device, you can simply use one of your backup codes to get in.

Back to my estate plan: let’s say I’ve died, and I’ve previously set up LastPass to let my executor get access to my usernames and passwords. The moment my executor attempts to log into Gmail, she’ll get a 2FA challenge. Maybe she has access to my cell phone, but maybe she doesn’t. And until she does, she won’t be able to receive SMS messages sent by 2FA-enabled sites to get into these accounts. With backup codes, she won’t have any trouble logging in as me.

I store these backup codes securely in LastPass, so that once she has access to my LastPass repository, she’ll have access to the backup codes as well as all usernames and passwords.

Step 4: Practice. None of this matters unless those you leave behind can actually get access to your information. They may not be familiar with the tools, or may not remember the steps involved. Part of the reason for writing this out is so I can share it with my lawyer and executor; I will also do a couple dry runs to ensure everyone knows how to invoke emergency access in LastPass and use backup codes to get access to my accounts.

As I’ve worked through this update to my estate plan, it’s occurred to me that this is really about simplifying wherever possible. Death is (almost always) as unexpected as it is inevitable, so any decisions I can make today that eliminate uncertainty for those I leave behind are decisions worth making.

P.S. — Google and Facebook have both done a great job giving you the ability to plan for what happens with your accounts after you die; you should spend some time at both of the following links evaluating your options:

Google’s Inactive Account Manager. With it, you can designate an individual who can get control of your account after a prolonged period of inactivity. With the steps I’ve outlined above, IAM is redundant for me — but if you don’t follow the steps above but at the very least set this up so that your loved ones have access to your info and can update your accounts as appropriate.

Facebook’s Memorialized Accounts. You can set your account to go into “Memorialized” status upon your death, or you can tell Facebook to permanently delete your account. Memorialized accounts can allow friends to post in your memory, but you will no longer appear in birthday reminders, in ads, or “people you may know”.